April 2009 wrapup: Thumbdrives under threat

We’ve just tallied the top 10 threats Webroot’s consumer products detected during the month of April, and some interesting trends appear to be shaping up.

Conficker aside, the first quarter of 2009 seemed to be dominated by worms that spread not only over a network, but to virtually anything you can plug into a USB port to store files. Thumbdrives and portable hard drives immediately come to mind, but so do MP3 players, digital picture frames and memory cards — like the kind you’d use in cameras, cellphones, or videogame players.

April proved to be no different. It’s very much a case of what’s old is new again, reminiscent of the era when sharing an infected floppy disk could wreak havoc.

We’re also seeing malware distributors still trying to use old vulnerabilities to try to infect computers. Even JPEG image files containing the MS04-028 vulnerability code — a bug that was fixed in Windows four and a half years ago, are still floating around the net trying to take advantage of older, unpatched system, as are scripts attempting to exploit the ADODB.Stream vulnerability. If you ever needed a reason to run Windows Update, this is it.

Click onward to read the entire list.

#1 — Alman

The Alman virus is a nasty piece of work. It infects applications with a .exe file extension, installs a rootkit to hide parts of itself, downloads additional files from the Internet, and attempts to spread to other vulnerable computers over networks, and by copying itself to removable mass-storage devices such as hard drives, flash memory drives, or MP3 players.

#2 — Worm-Maybenot / Wazner / Mabezat

Wazner, aka Mabezat, aka Worm-Maybenot, copies itself to vulnerable computers on networks, and to removable mass-storage devices such as hard drives, flash memory drives, or MP3 players. It also bollixes up your ability to see file extensions, or files marked as “hidden” (which normally appear greyed out), by changing some registry keys that modify the behavior of Windows Explorer.

#3 — Trojan-Tracur

Tracur (also known in the industry as Agent-INP or Nugg) is a downloader — a file that downloads additional malware or Trojan Horse applications to the victim’s computer — which has been bundled with files that purport to be cracked or pirated copies of legitimate software. We’ve retrieved many copies from peer-to-peer file sharing networks, such as Limewire and BitTorrent.

#4 — Malware.gen/Trojan.gen

We use this definition to classify files that act with malicious intent — such as copying themselves without warning or notice to a system directory and adding a registry key so they start with every reboot — but don’t have unique or distinctive behaviors to warrant their own specific definition.

#5 — Autoinf / worm.gen

We use this to define various kinds of malicious executable files that spread themselves by means of copying an application or DLL file to a removable storage device, and adding an “Autorun.inf” so the application or DLL loads each time the device gets plugged into a Windows computer. (Microsoft also has instructions to disable this functionality so it’s harder for you to infect yourself.)

#6 — Virtumonde

An oldie but baddie, Virtumonde continues to vex the Internet with an astonishing volume of random files. Some components act as downloaders, while others force the computer to display popup advertising or fake “virus alert” messages. All of them are obnoxious, persistent, and continually being updated by the malware’s creator(s).

#7 — MS04-028 exploits

Even though the patch for this Windows vulnerability has been available for more than four years, the bad guys are still trying to foist these modified JPEG image files (detected by us as Exp/MS04-028) onto computers. We don’t see so many infections in this case, but rather a significant number of attempts that are easily foiled by our File System Shield. (You can download a free scan tool from Microsoft to find out if your computer is vulnerable).

#8 — Exploit-PDF / Mal/PDFEx

If you still haven’t gotten around to updating your copy of Adobe Reader, you should. The bad guys are still trying to send around hacked PDF files (detected by us as PDFEx) that exploit a weakness in older copies of this free program for reading Acrobat PDF files. As with the previous item, we don’t see so many infections as mere attempts at infection.

#9 — Virut / W32/Scribble

Another file-infecting virus that just won’t die, Virut (aka Scribble) is one of the most prolific. Virut is more of a “classic” virus that appends its code to any application (or Windows Screen Saver .SCR files) it can find, and will spread to other computers if you copy an infected application to the other computer and run it there. It will also modify otherwise clean files on your hard drive that you’d normally open in a browser (such as HTML files) to insert an iframe that points to a web site which, if loaded, attempts to infect the computer with still more malware.

#10 — Psyme

The Psyme definition incorporates script-based malware that bad guys use to trick your browser into downloading other executable files onto your PC. Usually these scripts take the form of Visual Basic or Javascript code embedded in a Web page. In this case, the Psyme variant we’re blocking is attempting to exploit a nearly five-year-old bug in Internet Explorer called the ADODB.Stream vulnerability. Based on the age of this bug, we’re most likely being alerted to the detection of the attempt by a malicious Web site to try to exploit the bug, not a successful infection.

Trackbacks

[…] mid-year meant that worms are far less likely to be able to spread using portable storage like thumbdrives or digital photo frames; A corresponding dropoff in overall worm detections has borne out the […]

[…] mid-year meant that worms are far less likely to be able to spread using portable storage like thumbdrives or digital photo frames; A corresponding dropoff in overall worm detections has borne out the […]